Improper Control of Generation of Code (‘Code Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Using thenify with the multiArgs option enabled can create situations where untrusted input is passed to eval, allowing attackers to execute arbitrary code. This happens when callbacks or arguments are not properly controlled or sanitized.
Impact#
If exploited, an attacker could run malicious code on your server, potentially stealing data, compromising user accounts, or taking control of the system. This can lead to full application compromise, data breaches, and significant damage to your organization.